acc-create-rector-config
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill generates an executable PHP configuration file (rector.php). Evidence (Ingestion points): The Usage section indicates the skill accepts user input for Directories to process and Directories to skip. Evidence (Capability): The generated file is a standard PHP script intended to be executed by the rector CLI tool. Risk: There are no instructions for the agent to sanitize these inputs. An attacker providing a path like src'); system('id'); // could result in code execution when the generated configuration is processed by the PHP interpreter during a Rector run.
- [EXTERNAL_DOWNLOADS] (LOW): Suggests CI/CD configurations that pull third-party GitHub Actions (shivammathur/setup-php@v2). While common in the PHP ecosystem, these are external dependencies that execute in the user's environment and are not on the pre-approved trusted source list.
Audit Metadata